Docker 容器内无法访问主机

Question

I've got a docker container on host 183.83.83.83 The A record of a subdomain mycontainer.example.com points to this IP.

A curl to 183.83.83.83 or mycontainer.example.com gives HTTP status 200 and the correct website.

However the same curl from inside every container on that host (to both the IP or hostname above) fails to connect:

curl: (7) Failed to connect to mycontainer.example.com port 80: Host is unreachable

This doesn't happen when trying this from a Docker container from another host or from the host itself.

What is going wrong here?

EDIT: More details: The host runs an Nginx-proxy container which proxies all requests to mycontainer.example.com to my frontend container (running a React application through a little node webserver). The frontend container is supposed to proxy all API requests from mycontainer.example.com/api to mycontainer.example.com:1337/api/v1 . However it can't proxy the API requests because I get the error Host is unreachable from inside all containers running on this host.

Answer 1

I know it is an old question but for anybody coming here, the solution, at least on Linux, is to allow incoming network packets to host from docker bridge network by modifying the iptables of the host as following:

sudo iptables -I INPUT -i docker0 -j ACCEPT

It translates to accept all incoming network packets on host from docker bridge network (assuming it is docker0) ie traffic from docker containers.

Here are the details:

-I INPUT means to insert a netfilter rule for incoming packets to host
-i docker0 means packets from docker0 interface of the host
-j ACCEPT means accept all packets since a protocol is not defined it implies that packets of any protocol are welcome.

Refer to iptables --help and netfilter website for more details.

Answer 2

The more current approach of using FirewallD would be to execute the following commands:

firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --reload

Answer 3

Fedora 32 switched the backend for the firewall from iptables to nftables. I didn't find how to fix things with nftables, however I found how to switch back to iptables.

While the following commands don't look like best practice, they work for me.

sudo sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/g' /etc/firewalld/firewalld.conf
sudo systemctl restart firewalld docker

Source: https://dev.to/ozorest/fedora-32-how-to-solve-docker-internal-network-issue-22me

Answer 4

Here my solution:

if command -v firewall-cmd > /dev/null; then
  NIC=$(ip addr | grep {{docker.network.host.ip}} | awk '{ print $7 }')
  echo "Trusting NIC \"${NIC}\"..."

     sudo firewall-cmd --permanent --zone=trusted --change-interface=${NIC} \
  && sudo firewall-cmd --reload \
  && sudo systemctl restart firewalld \
  || exit $?
fi

Answer 5

I had this issue trying to change a docker-compose network, to fix I deleted all unused networks.

docker network ls <- this will list you networks

DO NOT DELETE THOSE:

NETWORK ID     NAME                DRIVER    SCOPE
970599083e1f   bridge              bridge    local
dddff9d5ec3e   host                host      local
15a80e0436c2   none                null      local

docker network rm <ID|NAME> <- this will delete a network